PHPCS - WordPress.Security.EscapeOutput (#110)

* autofixes

* remove prefix underscores

* fix spacing in resize text

* move whitespace

* Do not escale error messages before being outputted to html

* Unexclude escape output

* phpcs: bulk-optimization.php

* phpcs account-status-create-advanced

* phpcs compress-details-processing

* fix create-simpel

* phpcs dashboard-widget

* phpcs optimization-chart

* phpcs status-connected

* phpcs compress-details

* phpcs upgrade notice

* notice-feedback

* exceptions are handled on client usage in views

* phpcs notices

* phpcs class-tiny-compress.php

* phpcs settings

* phpcs tiny-plugin

* remove parameter

* use Tiny_Image

* typo

* ignore exception, is not outputted

* use esc_url instead of esc_html on urls

* add checked mock func

* fix test

Author: tijmenbruggeman

phpcs.xml

@@ -11,7 +11,6 @@
     <exclude name="Squiz.PHP.CommentedOutCode.Found" />
 
     <!-- Fix security issues -->
-    <exclude name="WordPress.Security.EscapeOutput" />
     <exclude name="WordPress.Security.ValidatedSanitizedInput" />
     <exclude name="WordPress.Security.NonceVerification" />
 

src/class-tiny-compress-client.php

@@ -1,4 +1,5 @@
 <?php
+// phpcs:disable WordPress.Security.EscapeOutput.ExceptionNotEscaped
 /*
 * Tiny Compress Images - WordPress plugin.
 * Copyright (C) 2015-2018 Tinify B.V.

src/class-tiny-compress-fopen.php

@@ -1,4 +1,5 @@
 <?php
+// phpcs:disable WordPress.Security.EscapeOutput.ExceptionNotEscaped
 /*
 * Tiny Compress Images - WordPress plugin.
 * Copyright (C) 2015-2018 Tinify B.V.

src/class-tiny-compress.php

@@ -109,14 +109,17 @@ public function compress_file(
 		$convert_to = array()
 	) {
 		if ( $this->get_key() == null ) {
+			// phpcs:ignore WordPress.Security.EscapeOutput.ExceptionNotEscaped -- not used in output
 			throw new Tiny_Exception( self::KEY_MISSING, 'KeyError' );
 		}
 
 		if ( ! file_exists( $file ) ) {
+			// phpcs:ignore WordPress.Security.EscapeOutput.ExceptionNotEscaped -- not used in output
 			throw new Tiny_Exception( self::FILE_MISSING, 'FileError' );
 		}
 
 		if ( ! is_writable( $file ) ) {
+			// phpcs:ignore WordPress.Security.EscapeOutput.ExceptionNotEscaped -- not used in output
 			throw new Tiny_Exception( self::WRITE_ERROR, 'FileError' );
 		}
 
@@ -141,7 +144,7 @@ public function compress_file(
 		try {
 			file_put_contents( $file, $output );
 		} catch ( Exception $e ) {
-			throw new Tiny_Exception( $e->getMessage(), 'FileError' );
+			throw new Tiny_Exception( esc_html( $e->getMessage() ), 'FileError' );
 		}
 
 		if ( $convert_output ) {
@@ -153,7 +156,7 @@ public function compress_file(
 			try {
 				file_put_contents( $converted_filepath, $convert_output );
 			} catch ( Exception $e ) {
-				throw new Tiny_Exception( $e->getMessage(), 'FileError' );
+				throw new Tiny_Exception( esc_html( $e->getMessage() ), 'FileError' );
 			}
 			$details['convert']['path'] = $converted_filepath;
 		}

src/class-tiny-image-size.php

@@ -231,7 +231,6 @@ public function mark_duplicate( $duplicate_size_name ) {
 		$this->duplicate         = true;
 		$this->duplicate_of_size = $duplicate_size_name;
 	}
-
 	public function is_duplicate() {
 		return $this->duplicate;
 	}

src/class-tiny-notices.php

@@ -172,16 +172,17 @@ public function show( $name, $message, $klass = 'error', $dismissible = true ) {
 		}
 
 		$css         = implode( ' ', $css );
-		$plugin_name = esc_html__(
+		$plugin_name = __(
 			'TinyPNG - JPEG, PNG & WebP image compression',
 			'tiny-compress-images'
 		);
 
 		add_action(
 			'admin_notices',
 			function () use ( $css, $name, $plugin_name, $message, $add ) {
-				echo '<div class="' . $css . '" data-name="' . $name . '"><p>' .
-					$plugin_name . ': ' . $message . $add . '</div>';
+				echo '<div class="' . esc_attr( $css ) . '" data-name="' .
+					esc_attr( $name ) . '"><p>' . esc_html( $plugin_name ) .
+					': ' . wp_kses_post( $message ) . wp_kses_post( $add ) . '</div>';
 			}
 		);
 	}
@@ -324,7 +325,7 @@ private function show_incompatible_plugins( $incompatible_plugins ) {
 		add_action(
 			'admin_notices',
 			function () use ( $notice ) {
-				echo $notice;
+				echo wp_kses_post( $notice );
 			}
 		);
 	}

src/class-tiny-plugin.php

@@ -547,7 +547,7 @@ private function validate_ajax_attachment_request() {
 	public function compress_image_from_library() {
 		$response = $this->validate_ajax_attachment_request();
 		if ( isset( $response['error'] ) ) {
-			echo $response['error'];
+			echo esc_html( $response['error'] );
 			exit();
 		}
 		list($id, $metadata) = $response['data'];
@@ -570,7 +570,7 @@ public function compress_image_from_library() {
 		// anymore, so other plugins are less likely to be triggered.
 		wp_update_attachment_metadata( $id, $tiny_image->get_wp_metadata() );
 
-		echo $this->render_compress_details( $tiny_image );
+		$this->render_compress_details( $tiny_image );
 
 		exit();
 	}
@@ -656,14 +656,14 @@ public function ajax_compression_status() {
 		$response = $this->validate_ajax_attachment_request();
 
 		if ( isset( $response['error'] ) ) {
-			echo $response['error'];
+			echo esc_html( $response['error'] );
 			exit();
 		}
 		list($id, $metadata) = $response['data'];
 
 		$tiny_image = new Tiny_Image( $this->settings, $id, $metadata );
 
-		echo $this->render_compress_details( $tiny_image );
+		$this->render_compress_details( $tiny_image );
 
 		exit();
 	}
@@ -877,15 +877,15 @@ public static function uninstall() {
 	public function mark_image_as_compressed() {
 		$response = $this->validate_ajax_attachment_request();
 		if ( isset( $response['error'] ) ) {
-			echo $response['error'];
+			echo esc_html( $response['error'] );
 			exit();
 		}
 
 		list($id, $metadata) = $response['data'];
 		$tiny_image          = new Tiny_Image( $this->settings, $id, $metadata );
 		$tiny_image->mark_as_compressed();
 
-		echo $this->render_compress_details( $tiny_image );
+		$this->render_compress_details( $tiny_image );
 
 		exit();
 	}

src/class-tiny-settings.php

@@ -460,7 +460,14 @@ public function render_settings_moved() {
 					),
 				)
 			),
-			$link
+			wp_kses(
+				$link,
+				array(
+					'a' => array(
+						'href' => array(),
+					),
+				)
+			)
 		);
 		echo '</div>';
 	}
@@ -470,14 +477,14 @@ public function render_compression_timing_settings() {
 			'When should new images be compressed?',
 			'tiny-compress-images'
 		);
-		echo '<h4>' . $heading . '</h4>';
+		echo '<h4>' . esc_html( $heading ) . '</h4>';
 		echo '<div class="optimization-options">';
 
 		$name               = self::get_prefixed_name( 'compression_timing' );
 		$compression_timing = $this->get_compression_timing();
 
 		$id      = self::get_prefixed_name( 'background_compress_enabled' );
-		$checked = ( 'background' === $compression_timing ? ' checked="checked"' : '' );
+		$checked = ( 'background' === $compression_timing );
 
 		$label       = esc_html__(
 			'Compress new images in the background (Recommended)',
@@ -493,12 +500,11 @@ public function render_compression_timing_settings() {
 			$label,
 			$description,
 			'background',
-			$checked,
-			false
+			$checked
 		);
 
 		$id      = self::get_prefixed_name( 'auto_compress_enabled' );
-		$checked = ( 'auto' === $compression_timing ? ' checked="checked"' : '' );
+		$checked = ( 'auto' === $compression_timing );
 
 		$label       = esc_html__(
 			'Compress new images during upload',
@@ -514,12 +520,11 @@ public function render_compression_timing_settings() {
 			$label,
 			$description,
 			'auto',
-			$checked,
-			false
+			$checked
 		);
 
 		$id      = self::get_prefixed_name( 'auto_compress_disabled' );
-		$checked = ( 'manual' === $compression_timing ? ' checked="checked"' : '' );
+		$checked = ( 'manual' === $compression_timing );
 
 		$label       = esc_html__(
 			'Do not compress new images automatically',
@@ -535,16 +540,16 @@ public function render_compression_timing_settings() {
 			$label,
 			$description,
 			'manual',
-			$checked,
-			false
+			$checked
 		);
 
 		echo '</div>';
 	}
 
 	public function render_sizes() {
+		$dummy_size_name = self::get_prefixed_name( 'sizes[' . self::DUMMY_SIZE . ']' );
 		echo '<input type="hidden" name="' .
-			self::get_prefixed_name( 'sizes[' . self::DUMMY_SIZE . ']' ) . '" value="on"/>';
+			esc_attr( $dummy_size_name ) . '" value="on"/>';
 
 		foreach ( $this->get_sizes() as $size => $option ) {
 			$this->render_size_checkboxes( $size, $option );
@@ -568,7 +573,7 @@ public function render_sizes() {
 	private function render_size_checkboxes( $size, $option ) {
 		$id      = self::get_prefixed_name( "sizes_$size" );
 		$name    = self::get_prefixed_name( 'sizes[' . $size . ']' );
-		$checked = ( $option['tinify'] ? ' checked="checked"' : '' );
+		$checked = ! empty( $option['tinify'] );
 		if ( Tiny_Image::is_original( $size ) ) {
 			$label = esc_html__( 'Original image', 'tiny-compress-images' ) . ' (' .
 				esc_html__(
@@ -592,9 +597,9 @@ private function render_size_checkboxes( $size, $option ) {
 				. ' - ' . $width . 'x' . $height;
 		}
 		echo '<p>';
-		echo '<input type="checkbox" id="' . $id . '" name="' . $name .
-			'" value="on" ' . $checked . '/>';
-		echo '<label for="' . $id . '">' . $label . '</label>';
+		echo '<input type="checkbox" id="' . esc_attr( $id ) . '" name="' . esc_attr( $name ) .
+			'" value="on"' . checked( $checked, true, false ) . '/>';
+		echo '<label for="' . esc_attr( $id ) . '">' . esc_html( $label ) . '</label>';
 		echo '</p>';
 	}
 
@@ -646,7 +651,7 @@ public function render_size_checkboxes_description(
 					),
 					$strong
 				),
-				$free_images_per_month
+				esc_html( $free_images_per_month )
 			);
 
 			if ( self::wr2x_active() ) {
@@ -683,7 +688,7 @@ public function render_compression_timing_radiobutton(
 				'For compression to work you will need to configure WP Offload S3 to keep a copy of the images on the server.',
 				'tiny-compress-images'
 			);
-			echo $message;
+			echo esc_html( $message );
 			echo '</p></div>';
 			echo '<p class="tiny-radio disabled">';
 		} else {
@@ -693,11 +698,11 @@ public function render_compression_timing_radiobutton(
 		$id    = sprintf( self::get_prefixed_name( 'compression_timing_%s' ), $value );
 		$label = esc_html( $label );
 		$desc  = esc_html( $desc );
-		echo '<input type="radio" id="' . $id . '" name="' . $name .
-			'" value="' . $value . '" ' . $checked . '/>';
-		echo '<label for="' . $id . '">' . $label . '</label>';
+		echo '<input type="radio" id="' . esc_attr( $id ) . '" name="' . esc_attr( $name ) .
+			'" value="' . esc_attr( $value ) . '"' . checked( $checked, true, false ) . '/>';
+		echo '<label for="' . esc_attr( $id ) . '">' . esc_html( $label ) . '</label>';
 		echo '<br>';
-		echo '<span>' . $desc . '</span>';
+		echo '<span>' . esc_html( $desc ) . '</span>';
 		echo '</p>';
 	}
 
@@ -955,11 +960,11 @@ private static function render_radiobutton(
 		$label,
 		$descr
 	) {
-		$checked = ( $current_value === $option_value ? ' checked="checked"' : '' );
+		$checked = ( $current_value === $option_value );
 		echo '<p class="tiny-radio">';
 		echo '<input type="radio" data-testid="' . esc_attr( $option_id ) . '" ';
-		echo 'id="' . esc_attr( $option_id ) . '" name="' . $group_name .
-			'" value="' . esc_attr( $option_value ) . '" ' . $checked . '/>';
+		echo 'id="' . esc_attr( $option_id ) . '" name="' . esc_attr( $group_name ) .
+			'" value="' . esc_attr( $option_value ) . '"' . checked( $checked, true, false ) . '/>';
 		echo '<label for="' . esc_attr( $option_id ) . '">' . esc_html( $label );
 		echo '<span>' . esc_html( $descr ) . '</span>';
 		echo '</label>';

src/views/account-status-connected.php

@@ -1,3 +1,16 @@
+<?php
+/**
+ * Account status connected view.
+ *
+ * Account connection status.
+ * @var object $status {
+ *     @type bool        $ok      Whether the API connection is successful.
+ *     @type bool        $pending Whether the connection is pending activation.
+ *     @type string|null $message Optional status message.
+ * }
+ * @var string $key The API key.
+ */
+?>
 <div class="tiny-account-status" id="tiny-account-status" data-state="complete">
 	<div class="status <?php echo $status->ok ? ( $status->pending ? 'status-pending' : 'status-success' ) : 'status-failure'; ?>">
 		<p class="status"><span>
@@ -39,7 +52,7 @@
 						),
 						$strong
 					),
-					$remaining_credits
+					intval( $remaining_credits )
 				);
 			} elseif ( ! $status->pending ) {
 				printf(
@@ -48,7 +61,7 @@
 						'You have made %s compressions this month.',
 						'tiny-compress-images'
 					),
-					$compressions
+					intval( $compressions )
 				);
 			}
 		} elseif ( isset( $status->message ) ) {
@@ -92,7 +105,15 @@
 					'Enter your API key. If you have lost your key, go to your %s to retrieve it.',
 					'tiny-compress-images'
 				),
-				$link
+				wp_kses(
+					$link,
+					array(
+						'a' => array(
+							'href'   => array(),
+							'target' => array(),
+						),
+					)
+				)
 			);
 			?>
 		</p>
@@ -115,7 +136,7 @@
 			<div class="button-container">
 				<div class="box">
 					<?php $encoded_email = str_replace( '%20', '%2B', rawurlencode( self::get_email_address() ) ); ?>
-					<a href="https://tinypng.com/dashboard/api?type=upgrade&mail=<?php echo $encoded_email; ?>" target="_blank" class="button button-primary upgrade-account">
+					<a href="<?php echo esc_url( 'https://tinypng.com/dashboard/api?type=upgrade&mail=' . $encoded_email ); ?>" target="_blank" class="button button-primary upgrade-account">
 						<?php esc_html_e( 'Upgrade account', 'tiny-compress-images' ); ?>
 					</a>
 				</div>

src/views/account-status-create-advanced.php

@@ -47,13 +47,12 @@
 				'<a href="https://tinypng.com/dashboard/api" target="_blank">%s</a>',
 				esc_html__( 'API dashboard', 'tiny-compress-images' )
 			);
-			printf(
-				/* translators: %s: link saying API dashboard */
-				esc_html__(
-					'Enter your API key. Go to your %s to retrieve it.',
-					'tiny-compress-images'
-				),
-				$link
+			echo wp_kses_post(
+				sprintf(
+					/* translators: %s: link saying API dashboard */
+					__( 'Enter your API key. Go to your %s to retrieve it.', 'tiny-compress-images' ),
+					$link
+				)
 			);
 			?>
 		</p>